In recent years, authors of malicious software (“malware”) have attempted to proliferate malware by generating thousands or potentially millions of variations of a malicious file. For example, a malware author may create a unique version of a malicious file for each intended target by repacking (i.e., compressing, encrypting, and/or otherwise obfuscating) the file on a server before distributing the same. Unfortunately, because many existing anti-virus technologies detect malware by detecting or identifying unique digital signatures or fingerprints associated with known-malicious files, malware authors may avoid detection by only distributing new (i.e., unique), repacked versions of malicious files.
In light of this, at least one security-software vendor has begun implementing reputation-based security systems. In a reputation-based security system, a security-software vendor may attempt to determine the trustworthiness of a file by collecting, aggregating, and analyzing data from potentially millions of user devices within a community, such as the security-software vendor's user base. For example, by determining a file's origin, age, and prevalence within the community (such as whether the file is predominantly found on at-risk or “unhealthy” machines within the community), among other details, a security-software vendor may gain a fairly accurate understanding as to the trustworthiness of the file.
However, in order to avoid producing an unacceptable number of false positives, reputation-based security systems may allow new files (i.e., files that have not been encountered before within the community) to be stored and run on user devices. Thus, by only distributing unique, repacked versions of malicious files, malware authors may circumvent some reputation-based security systems. As such, the instant disclosure identifies a need for systems and methods for effectively detecting unique instances of packed malware.